Public or private components

The different components that make up an Android app can be either public or private:

a public component can be accessed by components in other apps, e.g. a public Service or Activity can be started by another app

a private component can only be accessed by other components within the same app

Android applies certain conventions that mean the different types of component: Activity, Service, Broadcast Receiver, and Content Provider, default to either being public or private depending upon how they are configured in the app’s AndroidManifest.xml file.

Explicitly controlling component visibility

It is possible to override the default public/private visibility of a component by adding to the component’s declaration in the AndroidManifest.xml file:

android:exported=true

to make the component public, or

android:exported=false

to make the component private.

It is good practice to explicitly set android:exported to be sure that the component has exactly the visibility you want. The most likely mistake is making a component public when it should be private (with the obvious potential security implications), as the converse would likely be soon discovered when something failed to work as expected.

Notes for Nerds: it is also possible for a private component to be accessed by a component in a different app, if that app has the same UID.